Monitoring SONAR detection results to check for false positives
| Article:HOWTO81252 | | | Created: 2012-10-25 | | | Updated: 2012-10-27 | | | Article URL http://www.symantec.com/docs/HOWTO81252 |
The client collects and uploads SONAR detection results to the management server. The results are saved in the SONAR log.
To determine which processes are legitimate and which are security risks, look at the following columns in the log:
The column tells you immediately whether a detected process is a security risk or a possible legitimate process. However, a potential risk that is found may or may not be a legitimate process, and a security risk that is found may or may not be a malicious process. Therefore, you need to look at the and columns for more information. For example, you might recognize the application name of a legitimate application that a third-party company has developed.
Legacy clients do not support SONAR. Legacy clients collect similar events from TruScan proactive threat scans, however, and include them in the SONAR log.
To monitor SONAR detection results to check for false positives
In the console, click Monitors > Logs.
On the Logs tab, in the Log type drop-down list, click SONAR.
Select a time from the Time range list box closest to when you last changed a scan setting.
Click Advanced Settings.
In the Event type drop-down list, select one of the following log events:
Click View Log.
After you identify the legitimate applications and the security risks, create an exception for them in an Exceptions policy.
You can create the exception directly from the SONAR Logs pane.
See Creating exceptions from log events in Symantec Endpoint Protection Manager.
|
|
Legacy ID
v12184014_v81626097
Article URL http://www.symantec.com/docs/HOWTO81252
Terms of use for this information are found in Legal Notices
Thank you.